Reflexive ACLs are used to provide filtering of network traffic based on the session or network flow that a given packet belongs to. Frequently, organizations establish an internal network which they control, such as an intranet, and wish to link it to an external network through a limited number of routers or switches. By placing firewalls or filtering systems on these edge or border devices between the intranet and internet, the entire intranet can be protected. Reflexive ACLs block all traffic that originates outside of the intranet unless it is associated with a network flow that was initiated by a device that is within the intranet. In this way, external (potentially malicious) servers and devices are unable to access any devices or data within the intranet unless an intranet device explicitly wishes to allow such access.
Physical switches acting as a border device typically contain one or more ports on an “inside” interface, and one or more ports on an “external” interface. The internal interface ports connect to the intranet, and external interface ports connect to the wider network. Often, multiple physical switches are configured to operate as a single virtual switch, and devices on either side of the virtual switch interact with it as if it is a single switch rather than multiple switches. This provides additional failover capability, load-balancing, and increased bandwidth. Unfortunately, reflexive ACLs are configured to operate on a single physical switch, and do not work if applied to virtual switches.
To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures. It is contemplated that elements disclosed in one embodiment may be beneficially utilized on other embodiments without specific recitation.